Introduction to Basic Cryptography
Digital Signatures, Attacks on DLP
Kalyan Chakraborty
Harish-Chandra Research Institute
CIMPA School of Number Theory in Cryptography and Its Applications
School of Science, Kathmandu University,
Dhulikhel, Nepal
July 19 - July 31, 2010
Lecture 3: July 22, 2010
http://www.hri.res.in/~jaymehta/cryptographynotesCIMPA2010.pdf
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
1 / 38
Outline
Outline
1
Digital Signatures
ElGamal Digital Signatures
RSA Digital Signatures
Hash Functions
Diffe-Hellman Key Exchange
2
Attacks on DLP
Shank’s Algorithm
Pollard’s Rho Algorithm
The Pohlig-Hellman Algorithm
The Index Calculus Method
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
2 / 38
Digital Signatures
ElGamal Digital Signatures
Using ElGamal for Digital Signature
Suppose we want to sign an e-document. One can digitize the
signature and append it to the document.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
3 / 38
Digital Signatures
ElGamal Digital Signatures
Using ElGamal for Digital Signature
Suppose we want to sign an e-document. One can digitize the
signature and append it to the document.
But anyone who has access to it can simply remove the signature
and add it to something else.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
3 / 38
Digital Signatures
ElGamal Digital Signatures
Using ElGamal for Digital Signature
Suppose we want to sign an e-document. One can digitize the
signature and append it to the document.
But anyone who has access to it can simply remove the signature
and add it to something else.
Such an e-forgery is quite easy and cannot be distinguished from
the original.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
3 / 38
Digital Signatures
ElGamal Digital Signatures
Using ElGamal for Digital Signature
Suppose we want to sign an e-document. One can digitize the
signature and append it to the document.
But anyone who has access to it can simply remove the signature
and add it to something else.
Such an e-forgery is quite easy and cannot be distinguished from
the original.
Hence we require that digital signatures cannot be separated from
the message and attach to another.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
3 / 38
Digital Signatures
ElGamal Digital Signatures
Using ElGamal for Digital Signature
Suppose we want to sign an e-document. One can digitize the
signature and append it to the document.
But anyone who has access to it can simply remove the signature
and add it to something else.
Such an e-forgery is quite easy and cannot be distinguished from
the original.
Hence we require that digital signatures cannot be separated from
the message and attach to another.
This also should be easily verifiable by the other party.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
3 / 38
Digital Signatures
ElGamal Digital Signatures
Digital Signature scheme consists of two steps:
1
The signing process.
2
Verification process.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
4 / 38
Digital Signatures
ElGamal Digital Signatures
Digital Signature scheme consists of two steps:
1
The signing process.
2
Verification process.
A variation of the ElGamal crypto scheme provides a digital
signature.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
4 / 38
Digital Signatures
ElGamal Digital Signatures
Digital Signature scheme consists of two steps:
1
The signing process.
2
Verification process.
A variation of the ElGamal crypto scheme provides a digital
signature.
A signature for message M is a pair (a, b) obtained by selecting a
random integer k with (k, p − 1) = 1 where
a = gk mod p
(ElGamal Signature)
b = k−1 (M − xa) mod (p − 1)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
4 / 38
Digital Signatures
ElGamal Digital Signatures
Digital Signature scheme consists of two steps:
1
The signing process.
2
Verification process.
A variation of the ElGamal crypto scheme provides a digital
signature.
A signature for message M is a pair (a, b) obtained by selecting a
random integer k with (k, p − 1) = 1 where
a = gk mod p
(ElGamal Signature)
b = k−1 (M − xa) mod (p − 1)
To verify a digital signature, s = (a, b) one checks that
y a ab ≡ gM mod p
(ElGamal Verification)
where
y = gx mod p.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
4 / 38
Digital Signatures
ElGamal Digital Signatures
Exercise
Suppose Alice is using the ElGamal Signature Scheme with
p = 31847, α = 5 and β = 25703. Compute the values of k and a
(without solving any instance of the DLP), for the following:
Given the Signature (23972, 31396) for the message x = 8900.
Given the Signature (23972, 20481) for the message x = 31415
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
5 / 38
Digital Signatures
ElGamal Digital Signatures
Security of ElGamal Digital Signature
If Alice wants to sign a second document, then she must choose a
new random value of k.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
6 / 38
Digital Signatures
ElGamal Digital Signatures
Security of ElGamal Digital Signature
If Alice wants to sign a second document, then she must choose a
new random value of k.
She uses the same k for two messages M1 and M2 . Then the value
of a(= gk mod p) will be same in both signatures.
So, Eve will notice immediately that k is used twice.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
6 / 38
Digital Signatures
ElGamal Digital Signatures
Security of ElGamal Digital Signature
If Alice wants to sign a second document, then she must choose a
new random value of k.
She uses the same k for two messages M1 and M2 . Then the value
of a(= gk mod p) will be same in both signatures.
So, Eve will notice immediately that k is used twice.
The b-values are different. Let us call them b1 and b2 .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
6 / 38
Digital Signatures
ElGamal Digital Signatures
Security of ElGamal Digital Signature
If Alice wants to sign a second document, then she must choose a
new random value of k.
She uses the same k for two messages M1 and M2 . Then the value
of a(= gk mod p) will be same in both signatures.
So, Eve will notice immediately that k is used twice.
The b-values are different. Let us call them b1 and b2 .
Eve knows that
b1 k − M1 ≡ −xa ≡ b2 k − M2
mod (p − 1)
This implies
(b1 − b2 )k ≡ (M1 − M2 ) mod (p − 1)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
6 / 38
Digital Signatures
ElGamal Digital Signatures
Security of ElGamal Digital Signature
If Alice wants to sign a second document, then she must choose a
new random value of k.
She uses the same k for two messages M1 and M2 . Then the value
of a(= gk mod p) will be same in both signatures.
So, Eve will notice immediately that k is used twice.
The b-values are different. Let us call them b1 and b2 .
Eve knows that
b1 k − M1 ≡ −xa ≡ b2 k − M2
mod (p − 1)
This implies
(b1 − b2 )k ≡ (M1 − M2 ) mod (p − 1)
She can solve for k. If (b1 − b2 , p − 1) = d, then there are d
solutions to the congruence and they could be found.
Usually d is small so there are not many values of k.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
6 / 38
Digital Signatures
ElGamal Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
7 / 38
Digital Signatures
ElGamal Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
7 / 38
Digital Signatures
ElGamal Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa ≡ (M1 − kb1 ) mod (p − 1) for x
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
7 / 38
Digital Signatures
ElGamal Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa ≡ (M1 − kb1 ) mod (p − 1) for x
There are (a, p − 1) possibilities for x.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
7 / 38
Digital Signatures
ElGamal Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa ≡ (M1 − kb1 ) mod (p − 1) for x
There are (a, p − 1) possibilities for x.
Now, Eve computes gx for each of these possibilities of x, until she
finds y.
At this point she knows the private key x.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
7 / 38
Digital Signatures
ElGamal Digital Signatures
Eve computes gk for every possible value of k and looks for the
one which gives a.
Now, she knows k.
She solves
xa ≡ (M1 − kb1 ) mod (p − 1) for x
There are (a, p − 1) possibilities for x.
Now, Eve computes gx for each of these possibilities of x, until she
finds y.
At this point she knows the private key x.
Thus, she breaks the system and can produce Alice’s Signatures at
will.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
7 / 38
Digital Signatures
RSA Digital Signatures
RSA Digital Signature
Bob has a document that Alice agrees to sign. They do the following:
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
8 / 38
Digital Signatures
RSA Digital Signatures
RSA Digital Signature
Bob has a document that Alice agrees to sign. They do the following:
1
Alice generates two large primes p, q and computes n = pq.
She choses eA s.t. 1 < eA < φ(n) with (eA , φ(n)) = 1, and
calculates dA s.t. eA dA = 1( mod φ(n)).
She publishes (eA , n) and keeps private dA , p, q.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
8 / 38
Digital Signatures
RSA Digital Signatures
RSA Digital Signature
Bob has a document that Alice agrees to sign. They do the following:
1
Alice generates two large primes p, q and computes n = pq.
She choses eA s.t. 1 < eA < φ(n) with (eA , φ(n)) = 1, and
calculates dA s.t. eA dA = 1( mod φ(n)).
She publishes (eA , n) and keeps private dA , p, q.
2
Alice’s signature is
y = mdA ( mod n).
Kalyan Chakraborty (HRI)
(where m is message)
Introduction to basic Cryptography
July 22, 2010
8 / 38
Digital Signatures
RSA Digital Signatures
RSA Digital Signature
Bob has a document that Alice agrees to sign. They do the following:
1
Alice generates two large primes p, q and computes n = pq.
She choses eA s.t. 1 < eA < φ(n) with (eA , φ(n)) = 1, and
calculates dA s.t. eA dA = 1( mod φ(n)).
She publishes (eA , n) and keeps private dA , p, q.
2
Alice’s signature is
y = mdA ( mod n).
3
(where m is message)
The pair (m, y) is then made public.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
8 / 38
Digital Signatures
RSA Digital Signatures
RSA Digital Signature
Bob has a document that Alice agrees to sign. They do the following:
1
Alice generates two large primes p, q and computes n = pq.
She choses eA s.t. 1 < eA < φ(n) with (eA , φ(n)) = 1, and
calculates dA s.t. eA dA = 1( mod φ(n)).
She publishes (eA , n) and keeps private dA , p, q.
2
Alice’s signature is
y = mdA ( mod n).
3
(where m is message)
The pair (m, y) is then made public.
Bob verifies Alice’s sign as:
1
Download Alice’s (eA , n).
2
Calculate z = y eA (mod n).
If z = m, then he accepts the signature as valid.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
8 / 38
Digital Signatures
RSA Digital Signatures
Suppose Eve wants to attach Alice’s signature to another message
m1 .
She cannot simply use (m1 , y) as
y eA 6≡ m1 (mod n)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
9 / 38
Digital Signatures
RSA Digital Signatures
Suppose Eve wants to attach Alice’s signature to another message
m1 .
She cannot simply use (m1 , y) as
y eA 6≡ m1 (mod n)
Therefore, she needs y1 with
y1 eA ≡ m1 (mod n)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
9 / 38
Digital Signatures
RSA Digital Signatures
Suppose Eve wants to attach Alice’s signature to another message
m1 .
She cannot simply use (m1 , y) as
y eA 6≡ m1 (mod n)
Therefore, she needs y1 with
y1 eA ≡ m1 (mod n)
This is the same problem as decrypting an RSA “Ciphertext” m1
to obtain the “plaintext” y1 . This is hard.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
9 / 38
Digital Signatures
RSA Digital Signatures
Another possibility is that Eve chooses y1 first, then lets the
message be
m1 ≡ y1 eA (mod n)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
10 / 38
Digital Signatures
RSA Digital Signatures
Another possibility is that Eve chooses y1 first, then lets the
message be
m1 ≡ y1 eA (mod n)
It doesn’t appear that Alice can deny having signed the message
m1 under the scheme, but its unlikely that m1 will be of any
meaning.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
10 / 38
Digital Signatures
RSA Digital Signatures
Another possibility is that Eve chooses y1 first, then lets the
message be
m1 ≡ y1 eA (mod n)
It doesn’t appear that Alice can deny having signed the message
m1 under the scheme, but its unlikely that m1 will be of any
meaning.
There is a variation on this procedure that allows Alice to sign a
document without knowing its contents.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
10 / 38
Digital Signatures
RSA Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
Kalyan Chakraborty (HRI)
RSA Digital Signature
Introduction to basic Cryptography
July 22, 2010
11 / 38
Digital Signatures
RSA Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
ElGamal Scheme is an
example of a Signature
with appendix .
Kalyan Chakraborty (HRI)
RSA Digital Signature
Introduction to basic Cryptography
July 22, 2010
11 / 38
Digital Signatures
RSA Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
ElGamal Scheme is an
example of a Signature
with appendix .
Kalyan Chakraborty (HRI)
RSA Digital Signature
In Contrast, the RSA
Signature Scheme is a
Message Recovery
Scheme.
Introduction to basic Cryptography
July 22, 2010
11 / 38
Digital Signatures
RSA Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
ElGamal Scheme is an
example of a Signature
with appendix .
The message is not easily
recovered from the
Signature (a, b).
Kalyan Chakraborty (HRI)
RSA Digital Signature
In Contrast, the RSA
Signature Scheme is a
Message Recovery
Scheme.
Introduction to basic Cryptography
July 22, 2010
11 / 38
Digital Signatures
RSA Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
ElGamal Scheme is an
example of a Signature
with appendix .
The message is not easily
recovered from the
Signature (a, b).
Kalyan Chakraborty (HRI)
RSA Digital Signature
In Contrast, the RSA
Signature Scheme is a
Message Recovery
Scheme.
The message comes out
automatically from the
signature y.
Introduction to basic Cryptography
July 22, 2010
11 / 38
Digital Signatures
RSA Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
ElGamal Scheme is an
example of a Signature
with appendix .
The message is not easily
recovered from the
Signature (a, b).
RSA Digital Signature
In Contrast, the RSA
Signature Scheme is a
Message Recovery
Scheme.
The message comes out
automatically from the
signature y.
The message M must be
included in the verification
procedure.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
11 / 38
Digital Signatures
RSA Digital Signatures
Some Remarks on the two Signature Schemes
ElGamal Digital Signature
ElGamal Scheme is an
example of a Signature
with appendix .
The message is not easily
recovered from the
Signature (a, b).
The message M must be
included in the verification
procedure.
Kalyan Chakraborty (HRI)
RSA Digital Signature
In Contrast, the RSA
Signature Scheme is a
Message Recovery
Scheme.
The message comes out
automatically from the
signature y.
Therefore, only y needs to
be send since anyone can
deduce M as y eA mod (n).
Introduction to basic Cryptography
July 22, 2010
11 / 38
Digital Signatures
Hash Functions
Hash Functions
What is a Hash Function?
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions
What is a Hash Function?
A Hash Function h takes a message of “arbitrary length” as input
and produces a “shorter message” of fixed length as output.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions
What is a Hash Function?
A Hash Function h takes a message of “arbitrary length” as input
and produces a “shorter message” of fixed length as output.
Why it is needed?
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions
What is a Hash Function?
A Hash Function h takes a message of “arbitrary length” as input
and produces a “shorter message” of fixed length as output.
Why it is needed?
In the Signature Schemes discussed, the signature is at least as
long as the message. This is a disadvantage when message is long.
As a remedy of this situation, a hash function is used and the
signature scheme is applied to the hash of the message instead to
the message itself.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
Hash Functions
What is a Hash Function?
A Hash Function h takes a message of “arbitrary length” as input
and produces a “shorter message” of fixed length as output.
Why it is needed?
In the Signature Schemes discussed, the signature is at least as
long as the message. This is a disadvantage when message is long.
As a remedy of this situation, a hash function is used and the
signature scheme is applied to the hash of the message instead to
the message itself.
Long Message · · ·
0
1
1
↓
160- Bit Message 1
Kalyan Chakraborty (HRI)
1
···
0
1
0
0
1
···
Hash Function
1
0
Introduction to basic Cryptography
July 22, 2010
12 / 38
Digital Signatures
Hash Functions
A Hash function should satisfy:
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
13 / 38
Digital Signatures
Hash Functions
A Hash function should satisfy:
Given a message m, the hashed message h(m) should be easily
computable.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
13 / 38
Digital Signatures
Hash Functions
A Hash function should satisfy:
Given a message m, the hashed message h(m) should be easily
computable.
It should be one way function.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
13 / 38
Digital Signatures
Hash Functions
A Hash function should satisfy:
Given a message m, the hashed message h(m) should be easily
computable.
It should be one way function.
It should be collision-free function i.e., it should be
computationally infeasible to find two messages m1 and m2 such
that h(m1 ) = h(m2 ).
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
13 / 38
Digital Signatures
Hash Functions
A Hash function should satisfy:
Given a message m, the hashed message h(m) should be easily
computable.
It should be one way function.
It should be collision-free function i.e., it should be
computationally infeasible to find two messages m1 and m2 such
that h(m1 ) = h(m2 ).
There are several professional hash functions and among them Rivest’s
MD family is most popular. We provide an example which is good for
illustration.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
13 / 38
Digital Signatures
Hash Functions
Example of Hash Function
Example : This example is due to Chaum, van Heijst and Pfitzmann.
This is slow to be used in practice.
Choose a large prime p such that q = (p − 1)/2 is also a prime.
Choose two primitive roots α and β modulo p. Thus there exists a
such that αa ≡ β mod (p).
h will map integer modulo q 2 to integer modulo p. Therefore the
hashed message contains approximately half as many bits as the
message.
Write m = x0 + x1 q with 0 ≤ x0 , x1 ≤ q − 1. Then
h(m) ≡ αx0 β x1
mod (p).
One can show that its probably collision-free.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
14 / 38
Digital Signatures
Hash Functions
Key Exchange
Keys are the most important component of a cryptosystem. Key
exchanges are required for Symmetric Cryptosystem, which is
faster than PKC and used in practice.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
15 / 38
Digital Signatures
Hash Functions
Key Exchange
Keys are the most important component of a cryptosystem. Key
exchanges are required for Symmetric Cryptosystem, which is
faster than PKC and used in practice.
Key agreement is a type of protocol whereby a key is established
by exchanging information between Alice and Bob.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
15 / 38
Digital Signatures
Hash Functions
Key Exchange
Keys are the most important component of a cryptosystem. Key
exchanges are required for Symmetric Cryptosystem, which is
faster than PKC and used in practice.
Key agreement is a type of protocol whereby a key is established
by exchanging information between Alice and Bob.
It turns out that key agreement protocols are best done using
Public Key Cryptography, which is more secured.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
15 / 38
Digital Signatures
Hash Functions
Key Exchange
Keys are the most important component of a cryptosystem. Key
exchanges are required for Symmetric Cryptosystem, which is
faster than PKC and used in practice.
Key agreement is a type of protocol whereby a key is established
by exchanging information between Alice and Bob.
It turns out that key agreement protocols are best done using
Public Key Cryptography, which is more secured.
A famous example of this protocol is Diffe- Hellman Key
Exchange, which provides the key with two message transfers.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
15 / 38
Digital Signatures
Diffe-Hellman Key Exchange
Diffe-Hellman Key Exchange
Let p be a prime and a be a primitive root modulo p.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
16 / 38
Digital Signatures
Diffe-Hellman Key Exchange
Diffe-Hellman Key Exchange
Let p be a prime and a be a primitive root modulo p.
User A key generation:
Select private XA : XA < p.
Calculate public YA : YA = aXA mod p.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
16 / 38
Digital Signatures
Diffe-Hellman Key Exchange
Diffe-Hellman Key Exchange
Let p be a prime and a be a primitive root modulo p.
User A key generation:
Select private XA : XA < p.
Calculate public YA : YA = aXA mod p.
User B key generation:
Select private XB : XB < p.
Calculate public YB : YB = aXB mod p.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
16 / 38
Digital Signatures
Diffe-Hellman Key Exchange
Diffe-Hellman Key Exchange
Let p be a prime and a be a primitive root modulo p.
User A key generation:
Select private XA : XA < p.
Calculate public YA : YA = aXA mod p.
User B key generation:
Select private XB : XB < p.
Calculate public YB : YB = aXB mod p.
Generation of Secret Key by A.
k = (YB )XA mod p.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
16 / 38
Digital Signatures
Diffe-Hellman Key Exchange
Diffe-Hellman Key Exchange
Let p be a prime and a be a primitive root modulo p.
User A key generation:
Select private XA : XA < p.
Calculate public YA : YA = aXA mod p.
User B key generation:
Select private XB : XB < p.
Calculate public YB : YB = aXB mod p.
Generation of Secret Key by A.
k = (YB )XA mod p.
Generation of Secret Key by B.
k = (YA )XB mod p.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
16 / 38
Digital Signatures
Diffe-Hellman Key Exchange
User A
Generate random
XA < p
Calculate
YA = aXA mod p
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
17 / 38
Digital Signatures
User A
Generate random
Diffe-Hellman Key Exchange
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
Kalyan Chakraborty (HRI)
YB = aXB mod p
Introduction to basic Cryptography
July 22, 2010
17 / 38
Digital Signatures
User A
Generate random
Diffe-Hellman Key Exchange
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
ց
k =(YA )XB mod p
=(aXA )XB mod p
=aXA XB mod p
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
17 / 38
Digital Signatures
User A
Generate random
Diffe-Hellman Key Exchange
User B
Generate random
XA < p
XB < p
Calculate
Calculate
YA = aXA mod p
YB = aXB mod p
ց
k =(YB )XA mod p
ւ
k =(YA )XB mod p
=(aXB )XA mod p
=(aXA )XB mod p
=aXB XA mod p
=aXA XB mod p
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
17 / 38
Attacks on Discrete Log Problem
Attacks on DLP
Shank’s Algorithm
Shank’s baby-step giant-step Algorithm (1972)
Description:
√
m = ⌈ p − 1⌉
(ceiling(x) = ⌈x⌉ is the smallest integer not less than x.)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
19 / 38
Attacks on DLP
Shank’s Algorithm
Shank’s baby-step giant-step Algorithm (1972)
Description:
√
m = ⌈ p − 1⌉
(ceiling(x) = ⌈x⌉ is the smallest integer not less than x.)
Compute L1 = {(j, αmj ), j = 0, 1, . . . , m − 1}
L2 = {(i, βα−i ), i = 0, 1, . . . , m − 1}
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
19 / 38
Attacks on DLP
Shank’s Algorithm
Shank’s baby-step giant-step Algorithm (1972)
Description:
√
m = ⌈ p − 1⌉
(ceiling(x) = ⌈x⌉ is the smallest integer not less than x.)
Compute L1 = {(j, αmj ), j = 0, 1, . . . , m − 1}
L2 = {(i, βα−i ), i = 0, 1, . . . , m − 1}
Sort L1 and L2 with respect to second co-ordinate.
Find the same second co-ordinate from L1 and L2 , say
(q, αmq ) and (r, βα−r ), to get
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
19 / 38
Attacks on DLP
Shank’s Algorithm
Shank’s baby-step giant-step Algorithm (1972)
Description:
√
m = ⌈ p − 1⌉
(ceiling(x) = ⌈x⌉ is the smallest integer not less than x.)
Compute L1 = {(j, αmj ), j = 0, 1, . . . , m − 1}
L2 = {(i, βα−i ), i = 0, 1, . . . , m − 1}
Sort L1 and L2 with respect to second co-ordinate.
Find the same second co-ordinate from L1 and L2 , say
(q, αmq ) and (r, βα−r ), to get
αmq = βα−r .
mq+r
⇒β=α
and a = mq + r.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
19 / 38
Attacks on DLP
Shank’s Algorithm
Shank’s Algorithm: (G, n, α, β)
√
1 m ← ⌈
n⌉
2
3
for j ← 0 to m − 1
do compute αmj
4
Obtain list L1
5
for i ← 0 to m − 1
6
do compute βα−i
7
Obtain list L2
8
Find a pair (q, y) ∈ L1 and (r, y) ∈ L2
9
logα β ← (mq + r) mod n
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
20 / 38
Attacks on DLP
Shank’s Algorithm
Comments on Algorithm
Step 3 in the algorithm is the “Baby-Step” and Step 6 is the
“Giant-Step”.
This method runs in O(m log m) time with O(m) memory where
√
m=⌈ n⌉
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
21 / 38
Attacks on DLP
Shank’s Algorithm
Example
log2 15 mod 19 = ?
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
22 / 38
Attacks on DLP
Shank’s Algorithm
Example
log2 15 mod 19 = ?
G = Z∗19 , α = 2, β = 15
α−1 = 10, n = p − 1 = 18, m = 5, αm = 13.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
22 / 38
Attacks on DLP
Shank’s Algorithm
Example
log2 15 mod 19 = ?
G = Z∗19 , α = 2, β = 15
α−1 = 10, n = p − 1 = 18, m = 5, αm = 13.
L1 : (j, αmj )
L2 : (i, βα−i )
(0, 1)
(0, 15)
(1, 13)
(1, 17)
(2, 17)
(2, 18)
(3, 12)
(3, 9)
(4, 4)
(4, 14)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
22 / 38
Attacks on DLP
Shank’s Algorithm
Example
log2 15 mod 19 = ?
G = Z∗19 , α = 2, β = 15
α−1 = 10, n = p − 1 = 18, m = 5, αm = 13.
L1 : (j, αmj )
L2 : (i, βα−i )
(0, 1)
(0, 15)
(1, 13)
(1, 17)
(2, 17)
(2, 18)
(3, 12)
(3, 9)
(4, 4)
(4, 14)
Then, q = 2 and r = 1
mq + r = 11 ⇒ log2 15 mod 19 = 11.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
22 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Pollard’s Rho Algorithm (1978)
This is the corresponding algorithm for finding discrete
logarithms. As with the Rho-Algorithm one forms a sequence
{x1 , x2 , . . .} by iteratively applying a random function f .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
23 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Pollard’s Rho Algorithm (1978)
This is the corresponding algorithm for finding discrete
logarithms. As with the Rho-Algorithm one forms a sequence
{x1 , x2 , . . .} by iteratively applying a random function f .
Once one obtains two elements xi and xj such that xi = xj for
i < j then hopefully one can compute logα β.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
23 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Pollard’s Rho Algorithm (1978)
This is the corresponding algorithm for finding discrete
logarithms. As with the Rho-Algorithm one forms a sequence
{x1 , x2 , . . .} by iteratively applying a random function f .
Once one obtains two elements xi and xj such that xi = xj for
i < j then hopefully one can compute logα β.
As in the factoring algorithm one will look for a collision of the
form xi = x2i .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
23 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Pollard’s Rho Algorithm (1978)
This is the corresponding algorithm for finding discrete
logarithms. As with the Rho-Algorithm one forms a sequence
{x1 , x2 , . . .} by iteratively applying a random function f .
Once one obtains two elements xi and xj such that xi = xj for
i < j then hopefully one can compute logα β.
As in the factoring algorithm one will look for a collision of the
form xi = x2i .
This algorithm needs less storage than the Shank’s Algorithm and
runs in approximately same time.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
23 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Let (G, ·) be a group, α ∈ G, o(α) = n.
Let β ∈< α >. We can treat logα β ∈ Zn .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
24 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Let (G, ·) be a group, α ∈ G, o(α) = n.
Let β ∈< α >. We can treat logα β ∈ Zn .
partition G into 3 roughly equal sized sets; S1 , S2 , S3 . Let
x0 = 1G and x0 6∈ S2
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
24 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Let (G, ·) be a group, α ∈ G, o(α) = n.
Let β ∈< α >. We can treat logα β ∈ Zn .
partition G into 3 roughly equal sized sets; S1 , S2 , S3 . Let
x0 = 1G and x0 6∈ S2
Define a function f :< α > ×Zn × Zn →< α > ×Zn × Zn
(βx, a, b + 1) if x ∈ S1
f (x, a, b) =
(x2 , 2a, 2b)
if x ∈ S2
(αx, a + 1, b) if x ∈ S3 .
Each triplet (x, a, b) that we from have the property that
x = αa β b
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
24 / 38
Attacks on DLP
Pollard’s Rho Algorithm
We begin with an initial triplet (1, 0, 0).
Note that f (x, a, b) satisfies desired property if (x, a, b) does. Thus, we
define
(1, 0, 0)
if i = 0
(xi , ai , bi ) =
f (xi−1 , ai−1 , bi−1 ) if i ≥ 1.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
25 / 38
Attacks on DLP
Pollard’s Rho Algorithm
We begin with an initial triplet (1, 0, 0).
Note that f (x, a, b) satisfies desired property if (x, a, b) does. Thus, we
define
(1, 0, 0)
if i = 0
(xi , ai , bi ) =
f (xi−1 , ai−1 , bi−1 ) if i ≥ 1.
We compare (x2i , a2i , b2i ) and (xi , ai , bi ) until we find a value of i ≥ 1
such that
x2i = xi
when this occurs, we have
αa2i β b2i = αai β bi
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
25 / 38
Attacks on DLP
Pollard’s Rho Algorithm
We begin with an initial triplet (1, 0, 0).
Note that f (x, a, b) satisfies desired property if (x, a, b) does. Thus, we
define
(1, 0, 0)
if i = 0
(xi , ai , bi ) =
f (xi−1 , ai−1 , bi−1 ) if i ≥ 1.
We compare (x2i , a2i , b2i ) and (xi , ai , bi ) until we find a value of i ≥ 1
such that
x2i = xi
when this occurs, we have
αa2i β b2i = αai β bi
If we denote c = logα β, then it must have
αa2i +cb2i = αai +cbi .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
25 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Since, ord(α) = n, we have
a2i + cb2i ≡ ai + cbi (mod n)
⇒ c(b2i − bi ) ≡ ai − a2i (mod n)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
26 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Since, ord(α) = n, we have
a2i + cb2i ≡ ai + cbi (mod n)
⇒ c(b2i − bi ) ≡ ai − a2i (mod n)
If (b2i − bi , n) = 1, then we can solve for c as
c = (ai − a2i )(b2i − bi )−1 ( mod n).
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
26 / 38
Attacks on DLP
Pollard’s Rho Algorithm
Since, ord(α) = n, we have
a2i + cb2i ≡ ai + cbi (mod n)
⇒ c(b2i − bi ) ≡ ai − a2i (mod n)
If (b2i − bi , n) = 1, then we can solve for c as
c = (ai − a2i )(b2i − bi )−1 ( mod n).
If (b2i − bi , n) = d, we have
c = (ai − a2i )(b2i − bi )−1 ( mod
n
).
d
This gives us d choices of c. Usually d is small, so we can try all
possibilities until we have the result.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
26 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Pohlig-Hellman Algorithm (1978)
Let α be a generator of F∗p and β ∈ F∗p . Assume
r
Y
p−1=
pj cj ; cj ∈ N; pj ’s are distinct primes.
j=1
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
27 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Pohlig-Hellman Algorithm (1978)
Let α be a generator of F∗p and β ∈ F∗p . Assume
r
Y
p−1=
pj cj ; cj ∈ N; pj ’s are distinct primes.
j=1
To compute a = logα β, we compute a mod pj cj for j = 1, 2, . . . , r,
then apply Chinese Remainder Theorem. As we operate on each
prime power, we replace pj with q and refer to q c .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
27 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Pohlig-Hellman Algorithm (1978)
Let α be a generator of F∗p and β ∈ F∗p . Assume
r
Y
p−1=
pj cj ; cj ∈ N; pj ’s are distinct primes.
j=1
To compute a = logα β, we compute a mod pj cj for j = 1, 2, . . . , r,
then apply Chinese Remainder Theorem. As we operate on each
prime power, we replace pj with q and refer to q c .
To compute a mod q c we need to determine a in its base q
representation:
c−1
X
a=
bi q i ,
0 ≤ bi ≤ q − 1, 0 ≤ i ≤ c − 1
i=0
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
27 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
First set β0 = β = αa and observe that
(p − 1)
Kalyan Chakraborty (HRI)
Pc−1
k=i bk q
k−i−1
≡ (p − 1) bqi (mod p − 1)
Introduction to basic Cryptography
July 22, 2010
(1)
28 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
First set β0 = β = αa and observe that
(p − 1)
1
Pc−1
k=i bk q
k−i−1
≡ (p − 1) bqi (mod p − 1)
(1)
Calculate b0 , by (1)
(p−1)/q
β0
≡ α(p−1)b0 /q (mod p)
(Fermat’s little thm.)
(2)
We compute α(p−1)k/q (mod p) until (2) is satisfied and then
k = b0 .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
28 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
First set β0 = β = αa and observe that
(p − 1)
1
Pc−1
k=i bk q
k−i−1
≡ (p − 1) bqi (mod p − 1)
(1)
Calculate b0 , by (1)
(p−1)/q
β0
≡ α(p−1)b0 /q (mod p)
(Fermat’s little thm.)
(2)
We compute α(p−1)k/q (mod p) until (2) is satisfied and then
k = b0 .
2
Calculate bi for i = 1, 2, . . . , c − 1. P
i−1
k
First recursively define βi = βi−1 α− k=0 bk q . By (1),
(p−1)/q i+1
βi
≡ α(p−1)
P c−1
k>i bk q
k−i−1
≡ α(p−1)bi /q (mod p)
(3)
So, we compute α(p−1)k/q mod p for non-zero k ≤ c until (3) is
satisfied, in which case k = bi .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
28 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Pohlig-Hellman Algorithm
Algorithm : (G, n, α, β, q, c)
j←0
βj ← β
while j ≤ c − 1
do
j+1
δ ← βj n/(q )
find i such that δ = αin/q
bj ← i
j
βj+1 ← βj α−bj q
j ←j+1
return (b0 , . . . , bc−1 )
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
29 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Example Let p = 37. α = 2 generates F∗37 .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
30 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Example Let p = 37. α = 2 generates F∗37 .
Given β0 = β = 19, we want to compute
a = log2 (19) in F∗37 .
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
30 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Example Let p = 37. α = 2 generates F∗37 .
Given β0 = β = 19, we want to compute
a = log2 (19) in F∗37 .
p − 1 = 36 = 22 .32 = p1 c1 p2 c2 . All congruences are assumed to be mod 37.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
30 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Example Let p = 37. α = 2 generates F∗37 .
Given β0 = β = 19, we want to compute
a = log2 (19) in F∗37 .
p − 1 = 36 = 22 .32 = p1 c1 p2 c2 . All congruences are assumed to be mod 37.
For p1 = 2:
k
α(p−1)k/p1
i
βi
βi
(p−1)/p1 i+1
bi
Kalyan Chakraborty (HRI)
0
1
1
218 ≡ 36
0
19
18
19 ≡ 36
1
1
19.2−1
289
Introduction to basic Cryptography
≡ 28
≡ 36
1
July 22, 2010
30 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Example Let p = 37. α = 2 generates F∗37 .
Given β0 = β = 19, we want to compute
a = log2 (19) in F∗37 .
p − 1 = 36 = 22 .32 = p1 c1 p2 c2 . All congruences are assumed to be mod 37.
For p1 = 2:
k
α(p−1)k/p1
i
βi
βi
(p−1)/p1 i+1
bi
0
1
1
218 ≡ 36
0
19
18
19 ≡ 36
1
1
19.2−1
289
≡ 28
≡ 36
1
Thus the base 2 representation of log2 (19) mod 4 is
c−1
X
i=0
Kalyan Chakraborty (HRI)
bi p1 i = 1.20 + 1.21 ≡ 3 mod 4
Introduction to basic Cryptography
(4)
July 22, 2010
30 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
For p2 = 3
k
α(p−1)k/p2
i
βi
βi
(p−1)/p2 i+1
bi
Kalyan Chakraborty (HRI)
0
1
1
212 ≡ 26
0
19
12
19 ≡ 10
2
2
224 ≡ 10
1
19.2 ≡ 14
149 ≡ 10
2
−2
Introduction to basic Cryptography
July 22, 2010
31 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
For p2 = 3
k
α(p−1)k/p2
i
βi
βi
(p−1)/p2 i+1
bi
0
1
1
212 ≡ 26
0
19
12
19 ≡ 10
2
2
224 ≡ 10
1
19.2 ≡ 14
149 ≡ 10
2
−2
Thus, the base 3 representation of log2 (19) mod 9 is
cX
2 −1
i=0
Kalyan Chakraborty (HRI)
bi p2 i = 2.30 + 2.31 ≡ 8 mod 9
Introduction to basic Cryptography
(5)
July 22, 2010
31 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
For p2 = 3
k
α(p−1)k/p2
i
βi
βi
(p−1)/p2 i+1
bi
0
1
1
212 ≡ 26
0
19
12
19 ≡ 10
2
2
224 ≡ 10
1
19.2 ≡ 14
149 ≡ 10
2
−2
Thus, the base 3 representation of log2 (19) mod 9 is
cX
2 −1
i=0
bi p2 i = 2.30 + 2.31 ≡ 8 mod 9
(5)
On solving (4) − (5) by Chinese Remainder Theorem, we get
a = log2 19 = 35 in F∗37 .
If n = p − 1, then given factorization of n the running time is
Pr
√ pj ) group multiplications.
O
j>1 cj (ln n +
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
31 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Chinese Remainder Theorem
Suppose m1 , m2 , . . . , mr are pairwise relatively prime positive integers,
and let a1 , a2 , . . . , ar be integers. Then the system of r congruences
x ≡ ai (mod mi ) (1 ≤ i ≤ r) has a unique solution modulo
M = m1 × . . . × mr , which is given by
x=
r
X
ai Mi yi mod M,
i=1
where Mi = M/mi and yi = Mi −1 mod mi , for 1 ≤ i ≤ r.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
32 / 38
Attacks on DLP
The Pohlig-Hellman Algorithm
Chinese Remainder Theorem
Suppose m1 , m2 , . . . , mr are pairwise relatively prime positive integers,
and let a1 , a2 , . . . , ar be integers. Then the system of r congruences
x ≡ ai (mod mi ) (1 ≤ i ≤ r) has a unique solution modulo
M = m1 × . . . × mr , which is given by
x=
r
X
ai Mi yi mod M,
i=1
where Mi = M/mi and yi = Mi −1 mod mi , for 1 ≤ i ≤ r.
Example: Here we have,
x ≡ 3 (mod 4) and x ≡ 8 (mod 9). So, by CRT
x ≡ 3.9.(9−1 (mod 4)) + 8.4.(4−1 (mod 9)) (mod 36)
≡ 3.9.1 + 8.4.7 (mod 36)
≡ 35 (mod 36)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
32 / 38
Attacks on DLP
The Index Calculus Method
Index Calculus Method
This algorithm is applicable to the particular situation of finding the
discrete log in Z∗p , and α is a primitive element mod p.
In such situation this algorithm is faster than others.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
33 / 38
Attacks on DLP
The Index Calculus Method
Index Calculus Method
This algorithm is applicable to the particular situation of finding the
discrete log in Z∗p , and α is a primitive element mod p.
In such situation this algorithm is faster than others.
This method uses a factor base, which is a set B of small primes.
Suppose B = {p1 , p2 , . . . pB }.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
33 / 38
Attacks on DLP
The Index Calculus Method
Index Calculus Method
This algorithm is applicable to the particular situation of finding the
discrete log in Z∗p , and α is a primitive element mod p.
In such situation this algorithm is faster than others.
This method uses a factor base, which is a set B of small primes.
Suppose B = {p1 , p2 , . . . pB }.
1st Step: To find the discrete logarithms of the B primes in the
factor base.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
33 / 38
Attacks on DLP
The Index Calculus Method
Index Calculus Method
This algorithm is applicable to the particular situation of finding the
discrete log in Z∗p , and α is a primitive element mod p.
In such situation this algorithm is faster than others.
This method uses a factor base, which is a set B of small primes.
Suppose B = {p1 , p2 , . . . pB }.
1st Step: To find the discrete logarithms of the B primes in the
factor base.
2nd Step: Compute the discrete logarithm of a desired element β,
using the knowledge of discrete logarithms of the elements in the
factor base.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
33 / 38
Attacks on DLP
The Index Calculus Method
Explanation
Let c = B + 10 (a bit bigger than B).
One constructs c mod p which have the form:
αxj ≡ p1 a1j p2 a2j . . . pB aBj (mod p) for 1 ≤ j ≤ c.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
34 / 38
Attacks on DLP
The Index Calculus Method
Explanation
Let c = B + 10 (a bit bigger than B).
One constructs c mod p which have the form:
αxj ≡ p1 a1j p2 a2j . . . pB aBj (mod p) for 1 ≤ j ≤ c.
These congruences can be written equivalently as:
xj ≡ a1j logα p1 + · · · + aBj logα pB (mod p − 1), 1 ≤ j ≤ c.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
34 / 38
Attacks on DLP
The Index Calculus Method
Explanation
Let c = B + 10 (a bit bigger than B).
One constructs c mod p which have the form:
αxj ≡ p1 a1j p2 a2j . . . pB aBj (mod p) for 1 ≤ j ≤ c.
These congruences can be written equivalently as:
xj ≡ a1j logα p1 + · · · + aBj logα pB (mod p − 1), 1 ≤ j ≤ c.
Given c congruences in the B “unknowns” logα pi (1 ≤ i ≤ B), we hope
that there is a unique solution mod p − 1. In this case, we compute the
logarithms in the factor base.
To generate the c congruences in the desired form, take a random x,
compute αx mod p; then determine if αx mod p has all its factors in B.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
34 / 38
Attacks on DLP
The Index Calculus Method
After pre-computation, we compute a desired logarithm logα β:
Choose a random integer s(1 ≤ s ≤ p − 2) and compute
γ = βαs mod p.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
35 / 38
Attacks on DLP
The Index Calculus Method
After pre-computation, we compute a desired logarithm logα β:
Choose a random integer s(1 ≤ s ≤ p − 2) and compute
γ = βαs mod p.
Now attempt to factor γ over B. If this can be done, we obtain a
congruence of the form:
βαs ≡ p1 c1 p2 c2 . . . pB cB (mod p)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
35 / 38
Attacks on DLP
The Index Calculus Method
After pre-computation, we compute a desired logarithm logα β:
Choose a random integer s(1 ≤ s ≤ p − 2) and compute
γ = βαs mod p.
Now attempt to factor γ over B. If this can be done, we obtain a
congruence of the form:
βαs ≡ p1 c1 p2 c2 . . . pB cB (mod p)
⇒ logα β + s ≡ c1 logα p1 + · · · + cb logα pB (mod (p − 1)).
as except logα β, all other terms are known, we can get logα β.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
35 / 38
Attacks on DLP
The Index Calculus Method
Example of Index Calculus method
Example : log5 9451 mod 10007 = ?
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
36 / 38
Attacks on DLP
The Index Calculus Method
Example of Index Calculus method
Example : log5 9451 mod 10007 = ?
Choose B = {2, 3, 5, 7}.
Of course log5 5 = 1, so there are three logs of factor base elements to
be determined.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
36 / 38
Attacks on DLP
The Index Calculus Method
Example of Index Calculus method
Example : log5 9451 mod 10007 = ?
Choose B = {2, 3, 5, 7}.
Of course log5 5 = 1, so there are three logs of factor base elements to
be determined.
Use exponents 4063, 5163 and 9865
54063 mod 10007 = 42 = 2 × 3 × 7
55136 mod 10007 = 54 = 2 × 33
59865 mod 10007 = 189 = 33 × 7.
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
36 / 38
Attacks on DLP
The Index Calculus Method
Example of Index Calculus method
Example : log5 9451 mod 10007 = ?
Choose B = {2, 3, 5, 7}.
Of course log5 5 = 1, so there are three logs of factor base elements to
be determined.
Use exponents 4063, 5163 and 9865
54063 mod 10007 = 42 = 2 × 3 × 7
55136 mod 10007 = 54 = 2 × 33
59865 mod 10007 = 189 = 33 × 7.
And so have 3 congruences;
log5 2
+ log5 3 + log5 7 = 4063 mod 10006
log5 2
+3 log5 3
= 5136 mod 10006
3 log5 3 + log5 7
= 9865 mod 10006
(we now have 3 congruences in 3 unknowns)
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
36 / 38
Attacks on DLP
The Index Calculus Method
There happens to be a unique solution mod 10006, namely
log5 2 = 6578
log5 3 = 6190
log5 7 = 1301
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
37 / 38
Attacks on DLP
The Index Calculus Method
There happens to be a unique solution mod 10006, namely
log5 2 = 6578
log5 3 = 6190
log5 7 = 1301
Choose random exponent s = 7736 and try to calculate
βαs = 9451 × 57736 mod 10007 = 8400.
Since 8400 = 24 × 3 × 52 × 7 factors over B,
Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
37 / 38
Attacks on DLP
The Index Calculus Method
There happens to be a unique solution mod 10006, namely
log5 2 = 6578
log5 3 = 6190
log5 7 = 1301
Choose random exponent s = 7736 and try to calculate
βαs = 9451 × 57736 mod 10007 = 8400.
Since 8400 = 24 × 3 × 52 × 7 factors over B,
log5 9451 = (4 log 5 2 + log5 3 + 2 log5 5 + log5 7 − s) mod 10006
= (4 × 6578 + 6190 + 2 × 1 + 1301 − 7736) mod 10006
= 6057 mod 10006 Kalyan Chakraborty (HRI)
Introduction to basic Cryptography
July 22, 2010
37 / 38
THANK YOU
© Copyright 2026 Paperzz